The university turns to a real-time cyber-attack detection system that uses data science, machine learning and behavioral analysis to detect attacks in progress.

Detecting and thwarting attempted network breaches as soon as they take place are increasingly at the center of an effective cyber-security strategy. Zero-day vulnerabilities and other attacks are on the rise, but many conventional tools—including firewalls, sandboxing, endpoint security and intrusion detection systems—offer essential but limited protection.

"Perimeter defenses are important, but they do not provide any visibility into what is taking place on the internal network," says Hernan Londono, associate CIO at Barry University.

The Catholic liberal arts university, which has more than 8,000 students enrolled at 19 campuses scattered across Florida and the Virgin Islands, faces many of the same challenges as any educational facility or business.

"Protecting systems and assets is a growing challenge, especially with the growing use of mobile devices that move on and off the campus on a daily basis," Londono explains. "As students, faculty and staff come and go with their computing devices, there's a risk of infecting the network. Conventional perimeter defense systems aren't necessarily going to detect these problems."

Last May, Barry University turned to a real-time cyber-attack detection solution from Vectra. It uses data science, machine learning and behavioral analysis to detect attacks in progress. Without relying on signatures or reputation lists, the system identifies, correlates, scores and prioritizes active attacks so security teams can rapidly mitigate threats that pose the greatest danger.

"We are able to receive an alert as soon as an incident occurs," Londono reports. "We can take a look at the machine within the network and take immediate steps to mitigate the risk. While there is no way to be 100 percent protected from attacks and infections, the system greatly reduces the risk."

Detecting an Attack in Progress

In fact, the automated threat management solution paid dividends as quickly as the school had it up and running. It immediately detected a data exfiltration attack in progress, issued an alert, and the security team took steps to stop it.

Londono says that the malware would have almost certainly spread and wreaked havoc across the school's network. The fact that the solution continuously listens and learns to identify all phases of active cyber-attacks—such as command-and-control behavior, internal reconnaissance, botnet monetization, lateral movement and data exfiltration—was critical.

In another instance, the threat detection solution identified a group of misconfigured printers. Although a breach had not taken place, the school was able to adjust the settings and eliminate the vulnerability.

Londono says the Vectra solution is an important part of the university's multi-pronged defense. "It provides us with detailed information about the telemetry of the incident, including an IP address and a time stamp of data being moved, the protocols being used and when there is a command-and-control activity taking place," he adds.

Moreover, the system displays a probability score for attack certainty and a second score for attack severity. "The scoring makes it a lot easier to get a handle on an incident immediately and know how to address it in terms of procedures and resources," Londono explains.

Samuel Greengard writes about business and technology for Baseline, CIO Insight and other publications. His most recent book is The Internet of Things (MIT Press, 2015).